diff --git a/remove_build_id.patch b/remove_build_id.patch index 1adf889..12f58d7 100644 --- a/remove_build_id.patch +++ b/remove_build_id.patch @@ -1,23 +1,22 @@ -Index: shim/shim-15.4/gnu-efi/Make.defaults +Index: shim-15.8/gnu-efi/Make.defaults =================================================================== ---- shim-15.4.orgi/gnu-efi/Make.defaults -+++ shim-15.4/gnu-efi/Make.defaults -@@ -205,8 +205,7 @@ ARFLAGS := rDv - endif +--- shim-15.8.orig/gnu-efi/Make.defaults ++++ shim-15.8/gnu-efi/Make.defaults +@@ -205,7 +205,7 @@ endif ASFLAGS += $(ARCH3264) --LDFLAGS += -nostdlib --warn-common --no-undefined --fatal-warnings \ -- --build-id=sha1 -+LDFLAGS += -nostdlib --warn-common --no-undefined --fatal-warnings + LDFLAGS += -nostdlib --warn-common --no-undefined --fatal-warnings \ +- --build-id=sha1 --no-warn-rwx-segments ++ --no-warn-rwx-segments ifneq ($(ARCH),arm) export LIBGCC=$(shell $(CC) $(CFLAGS) $(ARCH3264) -print-libgcc-file-name) -Index: shim/shim-15.4/Make.defaults +Index: shim-15.8/Make.defaults =================================================================== ---- shim-15.4.orig/Make.defaults -+++ shim-15.4/Make.defaults -@@ -184,7 +184,7 @@ ifneq ($(origin VENDOR_DBX_FILE), undefi - DEFINES += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" +--- shim-15.8.orig/Make.defaults ++++ shim-15.8/Make.defaults +@@ -192,7 +192,7 @@ ifneq ($(origin SBAT_AUTOMATIC_DATE), un + DEFINES += -DSBAT_AUTOMATIC_DATE=$(SBAT_AUTOMATIC_DATE) endif -LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined diff --git a/shim-15.7.tar.bz2 b/shim-15.7.tar.bz2 deleted file mode 100644 index 9c5c79e..0000000 --- a/shim-15.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:87cdeb190e5c7fe441769dde11a1b507ed7328e70a178cd9858c7ac7065cfade -size 1334863 diff --git a/shim-15.8.tar.bz2 b/shim-15.8.tar.bz2 new file mode 100644 index 0000000..06115c7 --- /dev/null +++ b/shim-15.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 +size 2315201 diff --git a/shim-Enable-the-NX-compatibility-flag-by-default.patch b/shim-Enable-the-NX-compatibility-flag-by-default.patch deleted file mode 100644 index 85061ec..0000000 --- a/shim-Enable-the-NX-compatibility-flag-by-default.patch +++ /dev/null @@ -1,84 +0,0 @@ -From a53b9f7ceec1dfa1487f4d675573449c5b2a16fb Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 17 Nov 2022 12:31:31 -0500 -Subject: [PATCH] Enable the NX compatibility flag by default. - -Currently by default, when we build shim we do not set the PE -NX-compatibility DLL Characteristic flag. This signifies to the -firmware that shim (including the components it loads) is not prepared -for several related firmware changes: - -- non-executable stack -- non-executable pages from AllocatePages()/AllocatePool()/etc. -- non-writable 0 page (not strictly related but some firmware will be - transitioning at the same time) -- the need to use the UEFI 2.10 Memory Attribute Protocol to set page - permissions. - -This patch changes that default to be enabled by default. Distributors -of shim will need to ensure that either their builds disable this bit -(using "post-process-pe -N"), or that the bootloaders and kernels you -support loading are all compliant with this change. A new make -variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. - -Signed-off-by: Peter Jones ---- - BUILDING | 3 +++ - Make.defaults | 2 ++ - Makefile | 2 +- - post-process-pe.c | 2 +- - 4 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/BUILDING b/BUILDING -index 3b2e85d3..17cd98d3 100644 ---- a/BUILDING -+++ b/BUILDING -@@ -78,6 +78,9 @@ Variables you could set to customize the build: - - OSLABEL - This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS. - By default this is the same value as EFIDIR . -+- POST_PROCESS_PE_FLAGS -+ This allows you to add flags to the invocation of "post-process-pe", for -+ example to disable the NX compatibility flag. - - Vendor SBAT data: - It will sometimes be requested by reviewers that a build includes extra -diff --git a/Make.defaults b/Make.defaults -index c46164a3..9af89f4e 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -139,6 +139,8 @@ CFLAGS = $(FEATUREFLAGS) \ - $(INCLUDES) \ - $(DEFINES) - -+POST_PROCESS_PE_FLAGS = -+ - ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) - DEFINES += -DOVERRIDE_SECURITY_POLICY - endif -diff --git a/Makefile b/Makefile -index a9202f46..f0f53f8f 100644 ---- a/Makefile -+++ b/Makefile -@@ -255,7 +255,7 @@ endif - -j .rela* -j .dyn -j .reloc -j .eh_frame \ - -j .vendor_cert -j .sbat -j .sbatlevel \ - $(FORMAT) $< $@ -- ./post-process-pe -vv $@ -+ ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@ - - ifneq ($(origin ENABLE_SHIM_HASH),undefined) - %.hash : %.efi -diff --git a/post-process-pe.c b/post-process-pe.c -index de8f4a38..f39fdddf 100644 ---- a/post-process-pe.c -+++ b/post-process-pe.c -@@ -42,7 +42,7 @@ static int verbosity; - 0; \ - }) - --static bool set_nx_compat = false; -+static bool set_nx_compat = true; - - typedef uint8_t UINT8; - typedef uint16_t UINT16; diff --git a/shim.changes b/shim.changes index ce5abf0..58fa53f 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,84 @@ +------------------------------------------------------------------- +Sun Jan 28 09:32:32 UTC 2024 - Dennis Tseng + +-- Update to version 15.8 + - Various CVE fixes are already merged into this version + mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546) + avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547) + Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548) + Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549) + pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550) + pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551) + - remove shim-Enable-the-NX-compatibility-flag-by-default.patch + The codes in this patch are already existing in shim-15.8 + The NX flag is disable which is same as the default value of shim-15.8, + hence, not need to enable it by this patch now. + - Patches (git log --oneline --reverse 15.7..15.8) + 657b248 Make sbat_var.S parse right with buggy gcc/binutils + 7c76425 Enable the NX compatibility flag by default. + 89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper + c7b3051 pe: Align section size up to page size for mem attrs + e4f40ae pe: Add IS_PAGE_ALIGNED macro + f23883c Don't loop forever in load_certs() with buggy firmware + 1f38cb3 Optionally allow to keep shim protocol installed + 102a658 Drop invalid calls to `CRYPTO_set_mem_functions` + aae3df0 test-sbat: Fix exit code + cca3933 Block Debian grub binaries with SBAT < 4 + cf59f34 Further improve load_certs() for non-compliant drivers/firmwares + 0601f44 SBAT-related documents formatting and spelling + 0640e13 Add a security contact email address in README.md + 0bfc397 Work around malformed path delimiters in file paths from DHCP + a8b0b60 pe: only process RelocDir->Size of reloc section + f7a4338 Skip testing msleep() + 549d346 Rename 'msecs' to 'usecs' to avoid potential confusion + 908c388 Change type of fallback_verbose_wait from int to unsigned long + 05eae92 Add SbatLevel_Variable.txt to document the various revocations + 243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL + 89d25a1 Add a make rule for compile_commands.json + 118ff87 Add gnu-stack notes + f132655 test: Make our fake dprintf be a statement. + be00279 Remove CentOS 7 test builds. + 9964960 Split pe.c up even more. + 569270d Test (and fix) ImageAddress() + 61e9894 Verify signature before verifying sbat levels + 1578b55 Add libFuzzer support for csv.c + a0673e3 Fix a 1-byte memory leak in .sbat parsing. + e246812 Add libFuzzer support to the .sbat parser. + fd43eda Work around ImageAddress() usage mistake + 1e985a3 Correctly free memory allocated in handle_image() + dbbe3c8 mok: Avoid underflow in maximum variable size calculation + 04111d4 Make some of the static analysis tools a little easier to run + 7ba7440 compile_commands.json: remove stuff clang doesn't like + 66e6579 CVE-2023-40546 mok: fix LogError() invocation + f271826 Add primitives for overflow-checked arithmetic operations. + 8372147 pe-relocate: Add a fuzzer for read_header() + 5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries + e912071 pe-relocate: make read_header() use checked arithmetic operations. + 93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() + e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550 + afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds. + 96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system + dae82f6 Further mitigations against CVE-2023-40546 as a class + ea0f9df Allow SbatLevel data from external binary + b078ef2 Always clear SbatLevel when Secure Boot is disabled + 7dfb687 BS Variables for bootmgr revocations + a967c0e shim should not self revoke + 577cedd Print message when refusing to apply SbatLevel + e801b0d sbat revocations: check the full section name + 0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers + 6f0c8d2 Print errors when setting/clearing memory attrs + 57c0eed Updated Revocations for January 2024 CVEs + 49c6d95 Fix some minor ia32 build issues. + be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all. + 13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5 + c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist + 30a4f37 Rename "previous" revocations to "automatic" + 6f395c2 Build time selectable automatic SBATLevel revocations + a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER + 993a345 Try to load revocations.efi even if directory read fails + 1770a03 gitmodules: use shim-15.8 for gnu-efi branch + 5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8 + ------------------------------------------------------------------- Thu Oct 5 13:19:48 UTC 2023 - Ludwig Nussel diff --git a/shim.spec b/shim.spec index f6c9777..9547339 100644 --- a/shim.spec +++ b/shim.spec @@ -36,7 +36,7 @@ %endif Name: shim -Version: 15.7 +Version: 15.8 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause @@ -75,8 +75,6 @@ Patch3: shim-bsc1177315-verify-eku-codesign.patch Patch4: remove_build_id.patch # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT Patch5: shim-disable-export-vendor-dbx.patch -# PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch jlee@suse.com -- Enable the NX compatibility flag by default -Patch6: shim-Enable-the-NX-compatibility-flag-by-default.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -126,7 +124,6 @@ The source code of UEFI shim loader %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 %build # generate the vendor SBAT metadata